login
Search
"I think the decision to merge Smack is something that needs to be considered in the wider context of overall security architecture," suggested James Morris following Andrew Morton's recent comment that he plans to merge the functionality in the upcoming 2.6.24 kernel. While James had no complaints about Smack itself, he expressed concerns regarding the pluggable nature of LSM, which is used by Smack, cautioning, "if LSM remains, security will never be a first class citizen of the kernel," adding, "on a broader scale, we'll miss the potential of Linux having a coherent, semantically strong security architecture." He noted that he'd rather see SELinux as the sole Linux security framework, "merging Smack, however, would lock the kernel into the LSM API. Presently, as SELinux is the only in-tree user, LSM can still be removed."
Linus Torvalds firmly stated, "LSM stays in. No ifs, buts, maybes or anything else." He explained, "you security people are insane. I'm tired of this 'only my version is correct' crap. The whole and only point of LSM was to get away from that." Linus continued, "I guess I have to merge AppArmor and SMACK just to get this *disease* off the table. You're acting like a string theorist, claiming that t here is no other viable theory out there. Stop it. It's been going on for too damn long." Stephen Smalley responded, "you argued against pluggable schedulers, right? Why is security different?" Linus explained:
"Schedulers can be objectively tested. There's this thing called 'performance', that can generally be quantified on a load basis.
"Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is 'hard science'. The other one is 'people wanking around with their opinions'."
From: James Morris Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Oct 1, 4:33 am 2007 On Sun, 30 Sep 2007, Andrew Morton wrote: > So with the information which I presently have available to me, I'm > thinking that this should go into 2.6.24. I think the decision to merge Smack is something that needs to be considered in the wider context of overall security architecture. Smack itself looks fine. It seems like clean code with interesting ideas, and appears to be based upon sound principles. Merging Smack, however, would lock the kernel into the LSM API. Presently, as SELinux is the only in-tree user, LSM can still be removed. LSM's weak semantics and pervasive deep hooking of the kernel means that we'll have to continue dealing with several unpleasant issues, such as the abuse of the API by out of tree vendors, with a proliferation of binary/proprietary modules which typically maladapt the API for arbitrary purposes and/or use dangerous techniques. We will continue to waste resources maintaining this capability for them. On a broader scale, we'll miss the potential of Linux having a coherent, semantically strong security architecture. I have written about this in some detail before: http://lwn.net/Articles/240019/ Briefly, SELinux is a security architecture. It provides an extremely high degree of flexibility, in terms of both the types of security models implemented, and security policy for those models. It allows controlled composition of different security models, with a common policy language framework, allowing the entire system to be analyzed. The same ideas and even code can be reused beyond the kernel as post-DAC security is extended into databases, the desktop, distributed applications etc. It is a framework which provides a structured, coherent view of the security of the OS (and ultimately, the entire distributed environment). If LSM remains, security will never be a first class citizen of the kernel. Application developers will see multiple security schemes, and either burn themselves trying to support them, or more likely, ignore them. Core kernel developers will continue to not have enough information to understand what the LSM hooks in their code are supposed to be doing, leading to long term maintenance issues and potential security problems. LSM will remain a magnet for bad ideas. There's a reason we don't have pluggable network stacks, and we are lucky to have had a unified networking framework maintained by people who know to say no to things like STREAMS and TOE. I would question whether this quality of maintainership would exist if the networking core was simply a bunch of deep hooks into which people dumped arbitrary custom stacks. LSM will prevent us from making systemic improvements to security, as there will be no common security architecture. Things like Netfilter would not have been viable with a kernel which simply provided a bunch of hooks for networking stacks and an assortment of implementations. Much of this we have learned from the experience of LSM, and I think it has been valuable for that, but I think we need to consider now whether we are going to continue down this track in a permanent manner. - James -- James Morris <jmorris@namei.org> -
From: Linus Torvalds Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Oct 1, 8:07 am 2007 On Mon, 1 Oct 2007, James Morris wrote: > > Merging Smack, however, would lock the kernel into the LSM API. > Presently, as SELinux is the only in-tree user, LSM can still be removed. Hell f*cking NO! You security people are insane. I'm tired of this "only my version is correct" crap. The whole and only point of LSM was to get away from that. And anybody who claims that there is "consensus" on SELinux is just in denial. People are arguing against other peoples security on totally bogus points. First it was AppArmor, now this. I guess I have to merge AppArmor and SMACK just to get this *disease* off the table. You're acting like a string theorist, claiming that t here is no other viable theory out there. Stop it. It's been going on for too damn long. Linus -
From: Stephen Smalley Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Oct 1, 8:40 am 2007 On Mon, 2007-10-01 at 08:07 -0700, Linus Torvalds wrote: > > On Mon, 1 Oct 2007, James Morris wrote: > > > > Merging Smack, however, would lock the kernel into the LSM API. > > Presently, as SELinux is the only in-tree user, LSM can still be removed. > > Hell f*cking NO! > > You security people are insane. I'm tired of this "only my version is > correct" crap. The whole and only point of LSM was to get away from that. > > And anybody who claims that there is "consensus" on SELinux is just in > denial. > > People are arguing against other peoples security on totally bogus points. > First it was AppArmor, now this. > > I guess I have to merge AppArmor and SMACK just to get this *disease* off > the table. You're acting like a string theorist, claiming that t here is > no other viable theory out there. Stop it. It's been going on for too damn > long. You argued against pluggable schedulers, right? Why is security different? Do you really want to encourage people to roll their own security module rather than working toward a common security architecture and a single balanced solution (which doesn't necessarily mean SELinux, mind you, but certainly could draw from parts of it)? As with pluggable schedulers, the LSM approach prevents cross pollination and forces users to make poor choices. Some have suggested that security modules are no different than filesystem implementations, but filesystem implementations at least are constrained by their need to present a common API and must conform with and leverage the VFS infrastructure. Different security modules present very different interfaces and behaviors from one another and LSM doesn't provide the same kind of common functionality and well-defined semantics as the VFS. The result of merging many wildly different security modules will be chaos for application developers and users, likely leading them to ignore everything but the least common denominator. It almost makes more sense to merge no security modules at all than to have LSM and many different security modules. If Smack is mergeable despite likely being nothing more than a strict subset of SELinux (MAC, label-based, should be easily emulated on top of SELinux or via fairly simple extension to it to make such emulation simpler or more optimal), then what isn't mergeable as a separate security module? -- Stephen Smalley National Security Agency -
From: Linus Torvalds Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Oct 1, 9:04 am 2007 On Mon, 1 Oct 2007, Stephen Smalley wrote: > > You argued against pluggable schedulers, right? Why is security > different? Schedulers can be objectively tested. There's this thing called "performance", that can generally be quantified on a load basis. Yes, you can have crazy ideas in both schedulers and security. Yes, you can simplify both for a particular load. Yes, you can make mistakes in both. But the *discussion* on security seems to never get down to real numbers. So the difference between them is simple: one is "hard science". The other one is "people wanking around with their opinions". If you guys had been able to argue on hard data and be in agreement, LSM wouldn't have been needed in the first place. BUT THAT WAS NOT THE CASE. And perhaps more importantly: BUT THAT IS *STILL* NOT THE CASE! Sorry for the shouting, but I'm serious about this. > Do you really want to encourage people to roll their own security module > rather than working toward a common security architecture and a single > balanced solution (which doesn't necessarily mean SELinux, mind you, but > certainly could draw from parts of it)? As with pluggable schedulers, > the LSM approach prevents cross pollination and forces users to make > poor choices. Another difference is that when it comes to schedulers, I feel like I actually can make an informed decision. Which means that I'm perfectly happy to just make that decision, and take the flak that I get for it. And I do (both decide, and get flak). That's my job. In contrast, when it comes to security, I see people making IDIOTIC arguments, and I absolutely *know* that those arguments are pure and utter crap, and at the same time, I see that those people are supposed to be "experts". For example, you security guys still debate "inodes" vs "pathnames", as if that was an either-or issue. Quite frankly, I'm not a security person, but I can tell a bad argument from a good one. And an argument that says "inodes _or_ pathnames" is so full of shit that it's not even funny. And a person who says that it has to be one or the other is incompetent. Yet that is *still* the level of disagreement I see. So LSM stays in. No ifs, buts, maybes or anything else. When I see the security people making sane arguments and agreeing on something, that will change. Quite frankly, I expect hell to freeze over before that happens, and pigs will be nesting in trees. But hey, I can hope. > If Smack is mergeable despite likely being nothing more than a strict > subset of SELinux (MAC, label-based, should be easily emulated on top of > SELinux or via fairly simple extension to it to make such emulation > simpler or more optimal), then what isn't mergeable as a separate > security module? I'm simply not interested in this discussion. If you cannot understand the *meta*discussion above (which has nothing to do with SMACK or SELinux per se), I cannot help you. The biggest reason for me to merge SMACK (and AppArmor) would not be those particular security modules in themselves, but to inject a sense of reality in people. Right now, I see discussions about removign LSM because "SELinux is everything". THAT IS A PROBLEM. Linus -
From: Casey Schaufler Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Oct 1, 8:38 am 2007 --- James Morris <jmorris@namei.org> wrote: > On Sun, 30 Sep 2007, Andrew Morton wrote: > > > So with the information which I presently have available to me, I'm > > thinking that this should go into 2.6.24. > > I think the decision to merge Smack is something that needs to be > considered in the wider context of overall security architecture. Please recall the reason that we have LSM. It is so that Linus does not have to listen to the arguments over security architecture. > Smack itself looks fine. It seems like clean code with interesting ideas, > and appears to be based upon sound principles. Thank you. > Merging Smack, however, would lock the kernel into the LSM API. > Presently, as SELinux is the only in-tree user, LSM can still be removed. Ah, the nut of the issue. What follows then is the argument that SELinux should be the official security architecture of Linux. I disagree (like you hadn't figured that out) with this position. > LSM's weak semantics and pervasive deep hooking of the kernel means that > we'll have to continue dealing with several unpleasant issues, such as the > abuse of the API by out of tree vendors, Pulling LSM might slow a small set of abusers, but it wouldn't solve the problem, what with well documented VFS and driver layers available. > with a proliferation of > binary/proprietary modules which typically maladapt the API for arbitrary > purposes and/or use dangerous techniques. We will continue to waste > resources maintaining this capability for them. HeHe. I recall the response to some Tivoli developers when they made a request not to long ago. I seriously doubt that they feel the community is putting out much for them. > On a broader scale, we'll miss the potential of Linux having a coherent, > semantically strong security architecture. I have written about this in > some detail before: http://lwn.net/Articles/240019/ Here our opinions diverge strongly. My position is that the security architecture of SELinux is excessive in it's sophistication. > Briefly, SELinux is a security architecture. It provides an extremely > high degree of flexibility, in terms of both the types of security models > implemented, and security policy for those models. It allows controlled > composition of different security models, with a common policy language > framework, allowing the entire system to be analyzed. The same ideas and > even code can be reused beyond the kernel as post-DAC security is extended > into databases, the desktop, distributed applications etc. It is a > framework which provides a structured, coherent view of the security of > the OS (and ultimately, the entire distributed environment). None of which is new or unique to SELinux. > If LSM remains, security will never be a first class citizen of the > kernel. Application developers will see multiple security schemes, and > either burn themselves trying to support them, or more likely, ignore > them. What is the #1 SELinux FAQ? "How do I turn it off?" I'd suggest that application and system developers are perfectly capable of making rational decisions regarding the security model that is appropriate to their environments. > Core kernel developers will continue to not have enough information to > understand what the LSM hooks in their code are supposed to be doing, > leading to long term maintenance issues and potential security problems. Is that hypothetical, or do you have examples? > LSM will remain a magnet for bad ideas. Thanks a lot. > There's a reason we don't have > pluggable network stacks, and we are lucky to have had a unified > networking framework maintained by people who know to say no to things > like STREAMS and TOE. I would question whether this quality of > maintainership would exist if the networking core was simply a bunch of > deep hooks into which people dumped arbitrary custom stacks. The counter argument is of course VFS and the driver interface. I think that the file systems work pretty well. Except for the flakey ones. > LSM will prevent us from making systemic improvements to security, as > there will be no common security architecture. Things like Netfilter > would not have been viable with a kernel which simply provided a bunch of > hooks for networking stacks and an assortment of implementations. Unless you consider Smack a systemic improvement to security like I do. > Much of this we have learned from the experience of LSM, and I think it > has been valuable for that, but I think we need to consider now whether we > are going to continue down this track in a permanent manner. Why so defensive? SELinux is a fine implementation of Type Enforcement and if you like that sort of thing I'm all for you using it. Accept that it may not be for everyone. I certainly don't expect Smack on everyone's machine. Casey Schaufler casey@schaufler-ca.com -
From: Casey Schaufler Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Oct 1, 9:39 am 2007 --- Stephen Smalley <sds@tycho.nsa.gov> wrote: > On Mon, 2007-10-01 at 08:07 -0700, Linus Torvalds wrote: > > > > On Mon, 1 Oct 2007, James Morris wrote: > > > > > > Merging Smack, however, would lock the kernel into the LSM API. > > > Presently, as SELinux is the only in-tree user, LSM can still be removed. > > > > Hell f*cking NO! > > > > You security people are insane. I don't know if the field attracts the insane, or if being in the field drives one there, but I'm not going to deny that we have our share of high grade loonies. > > I'm tired of this "only my version is > > correct" crap. The whole and only point of LSM was to get away from that. > > > > And anybody who claims that there is "consensus" on SELinux is just in > > denial. > > > > People are arguing against other peoples security on totally bogus points. > > First it was AppArmor, now this. > > > > I guess I have to merge AppArmor and SMACK just to get this *disease* off > > the table. You're acting like a string theorist, claiming that t here is > > no other viable theory out there. Stop it. It's been going on for too damn > > long. > I'm pulling the whole arguement about when is pluggable good and when is it bad, as everybody seems inclined to use it to support thier own position. > If Smack is mergeable despite likely being nothing more than a strict > subset of SELinux Hogwash. > (MAC, label-based, Yes. > should be easily emulated on top of SELinux Sure, and I can emulate a rubber doorstop with Michealangeo's David, that doesn't make it a good idea. And I keep seeing "should", not "is". Emphatic assertion is not evidence. > or via fairly simple extension to it to make such emulation > simpler or more optimal), Making SELinux bigger would not make it suit the typical Smack use better. Smack is simplified, that's a major point. > then what isn't mergeable as a separate security module? Personally, I care about what I produced can do, and the uses to which it will be put. I am not convinced that SELinux can do many of the things that Smack can, and I know that a system that can only be used effectivly by Security Professionals is not for everyone. Smack has a different focus than SELinux. I see no need for hostility. If SELinux wants to incorporate Smack features, that's OK with me, but it won't make SELinux simpler. Heaven knows I have leaned heavily on the implementation example of SELinux. Casey Schaufler casey@schaufler-ca.com -
From: Theodore Tso Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Oct 1, 12:00 pm 2007 On Mon, Oct 01, 2007 at 11:40:39AM -0400, Stephen Smalley wrote: > You argued against pluggable schedulers, right? Why is security > different? > > Do you really want to encourage people to roll their own security module > rather than working toward a common security architecture and a single > balanced solution (which doesn't necessarily mean SELinux, mind you, but > certainly could draw from parts of it)? As with pluggable schedulers, > the LSM approach prevents cross pollination and forces users to make > poor choices. Something should be pluggable, and some things not. We have multiple filesystems in the tree; but we only have one scheduler and one TCP/IP stack. I'm going to argue that security is more like filesystems than scheduling. The real problem with security is that there are no "hard numbers", as Linus puts it. Instead, there are different sets of requirements in terms of what is a valid threat model --- which will very depending on the environment and how the servers are deployed, and what the capabilities are of the adversary trying to penetrate said system --- and how end users are willing to compromise between security and convenience. This is much like filesystems, where one of the reasons why people chose different filesystems is because they have differing requirements and operational environments, and some filesystems are better suited for certain requirements and environments than others. In some environments, say if you are creating a system that will handle classified data for the U.S. government, there are formal requirements that your employer, the NSA, sign off on the solution. This allows the NSA to force the application programmers and end users to make the tradeoff tilt very much against convenience in favor of security. And given the threat models and capabilities of the adversaries involved, that's probably appropriate. But that's not necessarily appropriate for all users. SELINUX is so horrible to use, that after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux. And I can tell you that certain ISV's, when faced with users complaining that their commericial application which costs ten times as much as their Linux distribution doesn't work when SELinux is enabled, simply tells their customers to disable SELinux. I've often thought that one of the reasons why SELinux folks argue so strenuously against AppArmor is because since configuring it to support new applications is so much easier than SELinux, that on an even playing ground, in many commercial environments that dwarf the NSA-mandated security pain of the federal sector, there is fear that AppArmor would be much more popular with customers than SELinux. Yes, AppArmor protects against fewer threats; but if the choice is to go without SELinux because it's too painful to configure SELinux policy, surely some protection is better than none. > Some have suggested that security modules are no different than > filesystem implementations, but filesystem implementations at least are > constrained by their need to present a common API and must conform with > and leverage the VFS infrastructure. Different security modules present > very different interfaces and behaviors from one another and LSM doesn't > provide the same kind of common functionality and well-defined semantics > as the VFS. The result of merging many wildly different security > modules will be chaos for application developers and users, likely > leading them to ignore everything but the least common denominator. > It almost makes more sense to merge no security modules at all than to > have LSM and many different security modules. Look, the reality is that the common interface for application is system calls returning EPERM. If you have to rewrite applications to use a security module, or force application writers to create a complicated SELinux policy, application writers will simply balk. It Just Won't Happen. Commercial applications like Oracle, DB2, Websphere, BEA Application Server, Tivoli Storage Manager, and so on work on multiple OS's, and not just Linux. If the application developers are forced to use a Linux-specific API, most of them will just walk away; it's much simpler and cheaper to tell users to disable SELinux. And in the commercial world, we don't have the "big stick" the NSA has in the federal/defense space to force application writers to pay attention to SELinux. The situation is just the same with filesystems. The common API is POSIX. As filesystem writers, we often kvetch about how limiting certain filesystem interfaces created 30 years ago might be, but the reality is, very few applications will use extended interfaces, and so if we broke readdir() and told application writers that they had to use this wonderful new read_directory() API that was so much better than the old readdir() interface, they would laugh at us and ignore us. Why do security people think they have the ability to dictate to application writers that they use specialized API's or write arcane security policies? - Ted -
Offline
James Morris
> The other one is "people wanking around with their opinions".
I regret having to say this, and I don't mean to belittle James' work on SElinux, but that's got to be the best sum-up of his attitude towards any security module/feature in the kernel other than SElinux that I've ever read...
Hmm
James Morris does have a point.
But so does Linus Torvalds.
Both of them can't be right
Both of them can't be right :-)
I am with Linus on this
I am with Linus on this one.
I dont like his strong words, but I totally support the basic notion of ONE job at hand in this context.
And this means LSM for now.
I dont agree with Theodore Tso insofar that I dont believe the DEVELOPMENT of an active operating system
should be LIMITED BY ANY STANDARD(S) at all.
Take FHS or LSB. They have done NOTHING to improve Linux.
The work of the kernel devs has improved Linux!
More Hardware support => very good.
Easier administration => very good.
They've done things...
Sorry, but I don't agree.
FHS and LSB are intented to be (and they actually are) a common reference for distribution verdors. Without forcing these companies to follow some common guidelines, your goodness in easy administration couldn't be possible.
It's important to know if several distributions have the configuration files in the same places don't you think so? If there were not such standars, we could put all the configuration files under /usr/etc or the binaries under /bin/arch_directory/binaries
etc...
Drivers are important, but they are not the only think we should care about.
Cheers
FHS
FHS and LSB. The inventors of crap no one has used (/srv, /media -- except for a few clear cases no one can tell whether something belongs to /mnt or /media and as a result I have seen confused people mounting samba shares under /media...), killers of things that make sense and have been used ever since (libexec), standardizing things like the incomplete API of a particular Gtk+ version (insane on so many levels that I do not know where to start...) or rpm (and note I'm not a Debian zealot, I *like* rpm).
We need standardization. Standardization of best practices -- i.e. things people actually tried and used (like IETF does), and also tried other things, and compared and concluded this is the best solution. Not FHS and LSB and the many W3C groups that got out of control and just produce `standards'.
So, basically, you're saying
So, basically, you're saying that FHS is ok, except for things that it does differently than BSD. ;-)
Uh?
>standardizing things like [cut] rpm (and note I'm not a Debian zealot, I *like* rpm).
So what's wrong with standardising rpm then?
Standards in the Unix world
In the current Unix world, OS-level standards are just an afterthought.
What we really need is standards that are thought out and written before the actual product is coded and it's too late to change any bad decisions. Standards that would be discussed and drafted by not just one person interested in implementing a fancy feature in Linux.
I would really like to see AT LEAST SOME effort on interoperability between Linux, *BSDs and OpenSolaris -- even a single cross-post on mailing lists asking whether more than one party would be interested in drafting a kernel API. The end-user will always benefit from interoperability -- though politically, big players generally don't. I wouldn't like to accuse any Linux developers or companies, but the current situation is simply frustrating, and is only ever getting worse.
The current lowest common denominator is still ancient POSIX & friends, and it has been that way for decades. Meanwhile operating systems have multiplied feature-wise, in size and in complexity.
Creating standards before
Creating standards before code is written is actually a bad idea - that way you end up with something like CORBA, i.e. something nearly unimplementable. Much better way is what IETF does - for something to become standard, there have to be at least two independent implementations. Until them the draft may change, to fix issues found during implementation.
As for interoperability - there is some effort. The openat(2) syscalls, introduced in Solaris 9, were later implemented in Linux and AFAIK are on their way to become standard. The only thing that is needed for interoperability is a good will of all the parties, without NIH syndrome (like with Linux implementing epoll(2) just to be incompatible with kqueue(2)) etc.
Cooperation is the key
Yes, the IETF approach is a better one. But APIs like openat, epoll and kqueue were developed for one platform without involving others prior to rollout.
The problem really is that we need is cooperation before the API is set in stone by a single community. Otherwise it will just be "a BSD feature implemented in Linux", not "a feature of BSD and Linux."
openat() is an exception because its API is rather straightforward and self-contained. Things like epoll and kqueue need to go much deeper in the kernel, so one kernel's API might not map well to another. Remember the worthless /dev/poll implementation in Linux?
If consensus cannot be reached, that is okay too — at least they made the effort and got (possibly valuable) input from another community.
Thank you, Ted Tso
Now I don't feel nearly so stupid for not being able to make SELinux work.
Missed the Big One
You need to be able to swap security frameworks. If one you are using turns to have a flaw you need to be able to swap to a different one. This does not happen in the other one.
With the new containers coming to Linux I would love to see Security Containers. Application does not work with Selinux or the like due to config options being able to swap to another and monitor what it want and put it back.
So its not just a ON/OFF switch.
Everyone forgets the best security is the security that the attacker is sitting there ask himself what is on the other side and not being sure. Closed source does not give that. A complete reconfigurable security system on a groups of apps base does give that. Pluggable security is only part way there.
There is more than one way
There is more than one way to secure your home. It's up to the resident to choose the most appropriate.
Sharks
Sharks with frickin' laser beams attached to their heads!
It's a little disappointing
It's a little disappointing to see so much disharmony in the UNIX security world.
No open source package maintainer or commercial vendor would ship source without providing a Makefile, or ship an application without a readme or man page of some kind. In the future, it should be just as unthinkable to ship an application without a reasonable selinux policy.
But instead, Linus just seems to be saying that "security people are insane," and we should just sit back and shrug. But life is short, and if stuff isn't secure by default, it will probably never be secure. If kernel devs like Ted Tso keep saying security is too hard to do right, it becomes a self-fulfilling prophecy.
Disclaimer: yes, I know that most embedded systems probably will never care about selinux.
Disclaimer #2: I'm not using selinux now. Sigh...
Disclaimer #3: You don't
Disclaimer #3: You don't actually know what SELinux is doing.
> ship an application
> ship an application without a reasonable selinux policy.
Application providers, it seems, will NEVER spend resources for such policies.(and in commercial/foss world they don't have NSA with a contract stick to force them to do it) They are not security fans, and standard unix permissions model will always be fine for them.
So argument about one true policy supported by everyone is dismissed.
Standard selinux policy will always be the work of distributors, who choose selinux.
Actually i think it is great
Actually i think it is great that we can have this discussion in the open. Why is this a problem?
You actually prefer these types of discussion to take place behind closed doors?
Linus does not say there is no way he will change his mind. He made up his mind based on the apparent fact that there is no consensus on security, and that is where he steps in and puts his fist down.
It's like saying BOA could use the same lock on their vault as you have on your backdoor. That's just plain nuts.
Security is a trade-off on usability and protection. There is no absolute security.
RSBAC (www.rsbac.org) is yet
RSBAC (www.rsbac.org) is yet another solution that doesn't like LSM for technical reasons yet brings it's own extensible framework with stackable security modules (without the LSM deficiencies) Just though it was worth noticing. It currently only support it's own modules though I saw they plan some SELinux-TE-module for people who want it.
Improve LSM
Wouldn't it be possibly to improve LSM and rectify its supposed "deficiencies" so that SELinux and RSBAC does not have any objections towards it?
If RSBAC developers do not
If RSBAC developers do not cooperate with kernel developers in improving the LSM framework, they can pretty much forget about RSBAC being merged into mainline.
This means that in a few years they will get tired of maintaining the patchset and the project just dies. This is the common fate of kernel modules that try to survive out of the mainline kernel tree. Don't tell me those developers haven't seen enough examples yet.
This means that no distro will dare to support it because
(1) it would be forking from the mainline, which is avoided by today's distributions
(2) they would need to support and maintain the patchset for a long time even after it dies
I have no idea if LSM has
I have no idea if LSM has flaws or not. AppArmor also looks a bit like security through insecurity to me - in the 'I have ZoneAlarm installed, so I'm invincible from everything' sense. Hopefully people are being more knee-jerk about the damage this could do to FOSS's general reputation for security (what general reputation? ;)) than about favoritism for their particular monster.
So... all that said:
Heterogeny in security is a great advantage, and Linus is being smart to support that. While it's true that it only adds 'obscurity,' it does increase the expense of an attack -- if half a population has immunity, it requires twice the work to pwn 100%. Keeping the cost:benefit ratio high further reduces the motivation for the sort of broad, infrastructure-crippling attacks you see in the Windows monoculture.
Owning 100% may not be the goal of every attacker (far from it), but per the above, it's those attacks that can have the greatest cost to society at large, and it doesn't hurt to discourage and prevent them.
my 2 cents
I am a user of Linux, system administrator, application developer, C programmer and more...
Most "enhanced security" UNIXes that I used were difficult to use because they were either too strict and unconfigurable or too strict and difficult to configure. Terms like configurability, flexibility etc. mean nothing to me. A system admin is not a security expert and can easy make a system insecure if he configures security in a wrong way.
I did not google on this but has there ever been a survey with systems admins, security officers and application developers on what they like to see in Linux ?
my 2 cents:
This may be done with Smack or SELinux with an additional framework. I have no clue. But please, please, stop with vague arguments and emotional statements.
I think that "enhanced security" is something that still needs more research and is not crystalclear like VFS is. Therefore it might be a good idea to have something now that
allows all vendors to implement their own views on security and then the users will
decide which they like the most.